mIRC Home    About    Download    Register    News    Help

Print Thread
Joined: Jun 2004
Posts: 5
Z
zest Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
Z
Joined: Jun 2004
Posts: 5
I'm using mirc 6.15 and yesterday someone messaged me a link containing a virus. I was dumb enough to go there, because it came from a somewhat respectable guy. My mirc started closing automatically. Well i performed a virus scan and it found trojandownloader.js.small.d and disinfected it.

Now my still mirc closes itself automatically at random intervals (like every 15 mins at least). I enabled mirc's confirm of quitting, but if i press No, the dialog reappears and i have no other choice than to press yes and close mirc. After mirc is close, a file called random.ecl is created in mirc dir.

I think this random.ecl is the virus. It contains hex code. I've tried to zero byte it, encrypt it, delete it, nothing helps. It creates itself automatically.

I know, i could just reinstall mirc. But the thing is, i've been using mirc for several years and i have loads of scripts there (yes, i tried to go thru the scripts without finding anything unusual), and it would take alot of time to reinstall everything, without even being sure if it would help.

So I'm asking, does anyone have a clue about the virus/script that could be causing this?

Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
Have you tried more than one virus/trojan scan? No *one* can detect everything, as there can be different variations of the same virus and so on. See this thread for some resources. I would suggest using 2 antiviruses and 2 trojan scanners, and 2 spyware scanners for good measure! Yes, it can be a little time consuming, but it's worth it in the long run!

Failing that, if you think an mIRC reinstall would help you might aswell do it. Save the scripts you know are definitely safe to another directory and replace them after a reinstall. I don't know if that would help though.

Hope it gets sorted!

Regards,


Mentality/Chris
Joined: Dec 2002
Posts: 1,922
O
Hoopy frood
Offline
Hoopy frood
O
Joined: Dec 2002
Posts: 1,922
A few suggestions...
  • Search the remote for random.ecl and exit (ignore "on exit" events, though)
  • Take a closer look at the most recent script: //echo -a $script($script(0))
  • Type /!timers and see if any of the background timers looks suspicious.
If you still have that URL, mind sending it to me in Private Message? I would like to see what exactly is in there.

Joined: Jun 2004
Posts: 5
Z
zest Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
Z
Joined: Jun 2004
Posts: 5
Unfortunately i can't find the link anymore, i think my virus scanner deleted it from IE's history. I don't log messages either.

I've tried
- Kaspersky's Antivirus (installed on my computer)
- Panda ActiveScan: http://www.pandasoftware.com/activescan/
- TrendMicro Housecall: http://housecall.trendmicro.com/

They dont find any viruses now.

Mirc hasn't closed itself now for sometime, so who knows if it's fixed somehow. Though it would seem that mirc window needs to be on top for the virus to 'work'.

<Search the remote for random.ecl and exit (ignore "on exit" <events, though)

Searched, it doesn't find it. How do i ignore exit?

<Take a closer look at the most recent script: //echo -a $script($script(0))

Show's a legit script.

<Type /!timers and see if any of the background timers looks <suspicious.

Also shows a legit timer.

Last edited by zest; 16/06/04 11:36 PM.
Joined: Aug 2003
Posts: 309
N
Fjord artisan
Offline
Fjord artisan
N
Joined: Aug 2003
Posts: 309
what script are u currently using?

does this happen on every network u are on?

try going on a network you wouldn't usually go to. dont go to any other networks. just the new one. and see if it still does it.


-Nick (Darko)
-Admin irc.aussiechat.org
-#Chatzone, #helpdesk
Joined: Dec 2002
Posts: 1,922
O
Hoopy frood
Offline
Hoopy frood
O
Joined: Dec 2002
Posts: 1,922
Quote:
How do i ignore exit?

Don't be alarmed if your remote search finds On *:exit:... script events. Those are OK. It's the /exit command (with or without a slash) that actually attempts to close mIRC, and I thought it might be somewhere in the remote.

Joined: Jun 2004
Posts: 5
Z
zest Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
Z
Joined: Jun 2004
Posts: 5
The problem is still there.

I've tried just about anything i could think. I'm going to try to reinstall mirc etc., tomorrow or so.

Thanks for the help though.

Joined: Jun 2004
Posts: 5
Z
zest Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
Z
Joined: Jun 2004
Posts: 5
OK i got Lavasoft Ad-watch installed, and whenever i click a channel that has an url in its topic, mirc tries to close itself and ad-watch starts to block something. However, if i disable ad-watch, mirc doesnt try to close itself and no pop-up occurs?? The url doesnt contain a virus.

Joined: Jun 2004
Posts: 5
Z
zest Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
Z
Joined: Jun 2004
Posts: 5
Yeah it seems that Ad-watch is the problem here, and not any virus. When i disabled "Block popups and banned sites" in ad-watch, the problem disappeared. For some reason, if an url is in a channels topic, and you select the channel as active window, Ad-watch thinks it's a popup and tries to kill mirc. Btw Ad-watch comes with Lavasoft Ad-aware 6.


Link Copied to Clipboard